Encryption: Backdoors That "Work" Don't Exist Because They Are A Fantasy

Last week, FBI Director James Comey told senators that encryption was making it harder for the FBI to do its job. To back his words, he brought up examples of instances where the agency couldn't access electronic information despite having the legal right to do so. And while you won't find many denying that this is not the case – encryption software after all, is meant to make it hard to access information, regardless of who's looking to access data – you'll find plenty of detractors to the director's stance that backdoors to encryption are useful.

This is not the first time (nor the last, we presume) that Comey has brought up the issue of backdoors for encrypted data. In October of last year, Comey also talked about the issue. Furthermore, he said the FBI wasn't looking for a backdoor, but a "front door":

There is a misconception that building a lawful intercept solution into a system requires a so-called “back door,” one that foreign adversaries and hackers may try to exploit.

But that isn’t true. We aren’t seeking a back-door approach. We want to use the front door, with clarity and transparency, and with clear guidance provided by law. We are completely comfortable with court orders and legal process—front doors that provide the evidence and information we need to investigate crime and prevent terrorist attacks.

While one can appreciate the FBI's insistence that they're not trying to do anything nefarious by requiring an encryption back or front door (or whatever you want to call it), the issue is a matter of the technical weaknesses that a backdoor presents and not the hidden motives it may represent.

Why Can't They Make a Gun that Only Kills Bad Guys?

Comey's insistence that companies should provide some kind of backdoor to encrypted devices, allowing the FBI and other law enforcement agencies to easily access legally-obtainable evidence, is almost as laughable as asking the above question on guns.

Indeed, and I'm going off on a tangent here, but wouldn't it be much more beneficial to law enforcement if guns only kill the bad guys? Think about it, there'd be positive cascading effects: agents of law enforcement wouldn't get hurt or killed. Secure in their knowledge that they won't be shot (cause they're the good guys), accusations of police brutality or excessive force would greatly decrease. Accidental deaths attributed to gunshot wounds would also decrease. Drive-by shootings of innocent bystanders would fall to zero with such a weapon. Etc, etc, etc.

The fact that the FBI is not actively looking for guns that shoot only the bad guys shows us that they don't live in a fantasy world. But, apparently, there's something magical about encryption (firstlook.org). They just can't imagine a world where encryption cannot possibly be like this magic gun that only shoots the bad guys:

Comey's problem is the nearly universal agreement among cryptographers, technologists and security experts that there is no way to give the government access to encrypted communications without poking an exploitable hole that would put confidential data, as well as entities like banks and power grids, at risk.

But while speaking at Senate Judiciary and Senate Intelligence Committee hearings on Wednesday, Comey repeatedly refused to accept that as reality.

"A whole lot of good people have said it's too hard … maybe that's so," he said to the Intelligence Committee. "But my reaction to that is: I'm not sure they've really tried."

Too hard? Maybe that's so? Try impossible.

But let's assume that the director is correct, and that the proper incentive would make people try harder. Does it make sense that people haven't tried?

Would You Leave Billions of Dollars on the Table?

The encryption software market is currently worth billions of dollars and is expected to be worth $5 billion before 2020. This figure doesn't really do it justice since many encryption solutions and technologies are provided for free or for very little money, relatively speaking. To say that the $5 billion figure is a discounted one is an understatement. If a company were to offer, in this situation, an encryption solution that provides a backdoor without being weaker than its no-backdoor peers, what would a reasonable person expect to happen?

Of course, such a thing is fantasy: the presence of a backdoor by definition means you've just weakened it. After all, what's to prevent a rogue FBI agent from causing problems using the very same backdoor? Or have some foreign agent infiltrate the FBI for the same purpose, per the movie "The Departed" or it's Asian original, "Infernal Affairs"?

But suspend your disbelief for a moment. Pretend that a gun that only shoots bad guys is possible. That unicorns prance in your backyard with your kids. That a particular encryption with a backdoor works just as well and as securely as one without a backdoor. One where the backdoor doesn't represent a potential data breach at all. I mean, really strain your brain.

Doesn't logic tell you that it would be a heck of a payday for the company that provides this particular encryption solution? I would imagine that a very sizable part of the $5billion market would become this company's without any overt marketing. Why? Because everybody could use a backdoor, not just the government.

There are many situations, far-fetched or otherwise, where a backdoor (that, again, does not pose a security risk) would come in handy. What if you forget your password and don't have a copy of the encryption key? It happens more often than you think. Or an employee unexpectedly quits and immediately hightails it to a temple in Nepal without letting you know his computer's password – the same computer where a very important contract is stored? What if you have a government employee who's involved in a crime, and evidence of his crime is stored encrypted on a government computer, and the employee in question is not cooperating?

I imagine that governments alone would opt for their own use this magic encryption technology over the others, just like the US federal government requires FIPS 140-2 validated solutions on government computers. Why wouldn't they? After all, there are benefits and the backdoor of our imaginary encryption solution does not pose a security threat.

Does a huge slice of $5 billion not sound like a huge incentive to you? It does to me. So why do we not have this technology?

I imagine it's because it's impossible to have encryption with a "secure" backdoor, just like it's impossible to develop the aforementioned gun that only kills bad guys.

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading
provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing
support of the AlertBoot disk encryption managed service.
Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts
University in Medford, Massachusetts, U.S.A.